Now that 2010 is behind us, I thought it might be interesting to do a little rundown on last year’s vulnerabilities, apply some perspective, and make some guesses about where this is leading us. It was an interesting year, to say the least.
Microsoft is a good barometer, due to their vast market share in the enterprise. 2010 brought us about 270 individual Microsoft vulnerabilities, addressed via 106 separate patches. This represents a 40% increase over 2009 numbers. The chart below shows the growth in vulns over course of the year, compared with 2008 and 2009.
This chart doesn’t tell the whole story, however. Buried among these vulnerabilities were 5 out-of-band patches (2 in January, 1 each in March, August, September). Out-of-band patches are noteworthy because they are disruptive and expensive. Most organizations have well-tuned processes to prioritize and roll out Microsoft’s regular monthly patches, but when MS releases patches outside of this normal rhythm, everyone needs to stop whatever they’re doing and re-assess those priorities. Every time this happens it delays existing work on other business priorities (opportunity cost) and occasionally requires staff to work overtime and on weekends (costing real dollars, and, let’s face it, not really good for morale).
By any measure, maintaining Microsoft applications and infrastructure was an expensive task in 2010, and things are unlikely to get any easier in 2011.
But Microsoft is not the only vendor in the world releasing security patches. 2010 will go down in history as the year that Adobe exploded onto the scene, from a risk perspective. In 2010 Adobe patched more than 200 new vulnerabilities, which represents 400% increase over 2009!
When Adobe vulns were a small trickle, they could be dealt with in an ad-hoc manner. However, now Adobe rivals Microsoft in the frequency of their patch updates, and attackers are actively pursuing these application vulnerabilities to deliver malware to end users. Given the broad deployment of popular Adobe apps such as Acrobat, Flash, and Shockwave, organizations are going to need to deal with Adobe in a much more systematic way.
To their credit, Adobe has attempted to adopt a repeatable patch schedule, similar to Microsoft’s. Back in mid-2009 they announced they would be releasing patches to Acrobat and Reader on a quarterly basis, aligned with Microsoft Patch Tuesday. While the goal was admirable, in practice the execution needs work. In 2010, Adobe actually released Acrobat/Reader patches on only 2 of their scheduled dates (January and April 2010). In addition they released 5 out-of-band patches to Acrobat and Reader, their hands forced by active exploits of zero-day vulnerabilities. Adobe has discussed moving to a monthly scheduled process, which is long overdue, and likely to happen in 2011.
For some reason, Apple has continued to fly mostly under the security radar. Perhaps this reflects the reality that few of their products are widely deployed in enterprise networks. Regardless, Apple saw similar increases to Adobe in 2010. The vast majority of the Apple vulnerabilities got lumped together in the month of November, just as the Thanksgiving holiday was sneaking up on us all here in the US. On Nov 10th, Apple released Mac OS X 10.6.5, which addressed a mind-boggling 135 individual vulnerabilities in the Mac OS operating system. For comparison, this is more than three times the size of Microsoft’s biggest update ever.
Perhaps more interestingly, on Nov 22 Apple released iOS 4.2, which addressed 86 vulnerabilities in the OS that underlies the iPhone, iPad, and iPod Touch. One could be excused for discounting the importance of vulnerabilities in Mac OS to the enterprise, but Apple mobile devices are an undeniable reality in every organization today. These data show that security researchers and hackers are taking a good hard look at the iOS platform; expect significant threats to emerge in 2011.
Apple is not the only mobile vendor to be concerned about. 2010 was the year Android really emerged as a force in the market, from a number of different vendors. Android is a more open platform than iOS, providing fertile ground for the bad guys. And with Android tablets gaining traction (many of which will run Adobe Flash), expect to see interesting developments here in 2011. McAfee Labs echoes these thoughts in their 2011 Threat Predictions white paper:
Questions to ask in 2011
Given that these trends show no indication of changing, every security professional should be asking a few questions as they execute plans for 2011:
· How much is too much? How many patches can my organization realistically roll out on a monthly basis?
· Given that we have no control over the volume of vendor patch releases, what can we do to optimize our responses to rapid-fire vulnerability dislocsures?
· Is it acceptable for users to access corporate data on unprotected devices that are riddled with undiscovered security vulnerabilities?
· Do I have to tools I need to manage vulnerabilities and risk associated with mobile devices?
Forward-looking enterprises will be wise to look at overlapping, proactive countermeasures that provide protection and risk reduction regardless of the vuln-du-jour. Application whitelisting, reputation, and behavioral protection techniques become much more important in this new rapidly-evolving threat landscape. On top of all this, security controls for mobile platforms must evolve very quickly to take on the threats that are just over the horizon. The good news is that once these kinds of controls are reliably in place, all our jobs get a lot easier.
Wishing you a safe and productive 2011!